v1.9.2

1.9.2

December 21, 2021

CHANGES:

• go: Update go version to 1.17.5 [GH-13408]

IMPROVEMENTS:

• auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [GH-13365]

BUG FIXES:

• ui: Fix client count current month data not showing unless monthly history data exists [GH-13396]

v1.8.7

1.8.7

December 21, 2021

CHANGES:

• go: Update go version to 1.16.12 [GH-13422]

v1.7.8

1.7.8

December 21, 2021

CHANGES:

• go: Update go version to 1.16.12 [GH-13422]

BUG FIXES:

• auth/aws: Fixes ec2 login no longer supporting DSA signature verification [GH-12340]
• identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]

v1.9.1

1.9.1

December 9, 2021

IMPROVEMENTS:

• storage/aerospike: Upgrade aerospike-client-go to v5.6.0. [GH-12165]

BUG FIXES:

• auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array. [GH-13235]
• ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
• http:Fix /sys/monitor endpoint returning streaming not supported [GH-13200]
• identity/oidc: Make the nonce parameter optional for the Authorization Endpoint of OIDC providers. [GH-13231]
• identity: Fixes a panic in the OIDC key rotation due to a missing nil check. [GH-13298]
• sdk/queue: move lock before length check to prevent panics. [GH-13146]
• secrets/azure: Fixes service principal generation when assigning roles that have DataActions. [GH-13277]
• secrets/pki: Recognize ed25519 when requesting a response in PKCS8 format [GH-13257]
• storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
• storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
• ui: Do not show verify connection value on database connection config page [GH-13152]
• ui: Fixes issue restoring raft storage snapshot [GH-13107]
• ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
• ui: Fixes issue with automate secret deletion value not displaying initially if set in secret metadata edit view [GH-13177]
• ui: Fixes issue with placeholder not displaying for automatically deleted secrets when deletion time has passed [GH-13166]
• ui: Fixes node-forge error when parsing EC (elliptical curve) certs [GH-13238]

v1.8.6

1.8.6

December 9, 2021

CHANGES:

• go: Update go version to 1.16.9 [GH-13029]

BUG FIXES:

• ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
• storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
• storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
• ui: Adds pagination to auth methods list view [GH-13054]
• ui: Do not show verify connection value on database connection config page [GH-13152]
• ui: Fixes issue restoring raft storage snapshot [GH-13107]
• ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
• ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [GH-13038]

v1.7.7

1.7.7

December 9, 2021

BUG FIXES:

• ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
• storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
• storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
• ui: Fixes issue restoring raft storage snapshot [GH-13107]
• ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
• ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [GH-13038]

v1.9.0

1.9.0

November 17, 2021

CHANGES:

• expiration: VAULT_16_REVOKE_PERMITPOOL environment variable has been removed. [GH-12888]
• expiration: VAULT_LEASE_USE_LEGACY_REVOCATION_STRATEGY environment variable has
  been removed. [GH-12888]
• go: Update go version to 1.17.2
• secrets/ssh: Roles with empty allowed_extensions will now forbid end-users
  specifying extensions when requesting ssh key signing. Update roles setting
  allowed_extensions to * to permit any extension to be specified by an end-user. [GH-12847]

FEATURES:

• Customizable HTTP Headers: Add support to define custom HTTP headers for root path (/) and also on API endpoints (/v1/*) [GH-12485]
• Deduplicate Token With Entities in Activity Log: Vault tokens without entities are now tracked with client IDs and deduplicated in the Activity Log [GH-12820]
• Elasticsearch Database UI: The UI now supports adding and editing Elasticsearch connections in the database secret engine. [GH-12672]
• KV Custom Metadata: Add ability in kv-v2 to specify version-agnostic custom key metadata via the
  metadata endpoint. The data will be present in responses made to the data endpoint independent of the
  calling token's read access to the metadata endpoint. [GH-12907]
• KV patch (Tech Preview): Add partial update support for the /<mount>/data/:path kv-v2
  endpoint through HTTP PATCH. A new patch ACL capability has been added and
  is required to make such requests. [GH-12687]
• Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS.
• Local Auth Mount Entities (enterprise): Logins on local auth mounts will
  generate identity entities for the tokens issued. The aliases of the entity
  resulting from local auth mounts (local-aliases), will be scoped by the cluster.
  This means that the local-aliases will never leave the geographical boundary of
  the cluster where they were issued. This is something to be mindful about for
  those who have implemented local auth mounts for complying with GDPR guidelines.
• Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces.
• OIDC Identity Provider (Tech Preview): Adds support for Vault to be an OpenID Connect (OIDC) provider. [GH-12932]
• Oracle Database UI: The UI now supports adding and editing Oracle connections in the database secret engine. [GH-12752]
• Postgres Database UI: The UI now supports adding and editing Postgres connections in the database secret engine. [GH-12945]

IMPROVEMENTS:

• agent/cache: Process persistent cache leases in dependency order during restore to ensure child leases are always correctly restored [GH-12843]
• agent/cache: Use an in-process listener between consul-template and vault-agent when caching is enabled and either templates or a listener is defined [GH-12762]
• agent/cache: tolerate partial restore failure from persistent cache [GH-12718]
• agent/template: add support for new 'writeToFile' template function [GH-12505]
• api: Add configuration option for ensuring isolated read-after-write semantics for all Client requests. [GH-12814]
• api: adds native Login method to Go client module with different auth method interfaces to support easier authentication [GH-12796]
• api: Move mergeStates and other required utils from agent to api module [GH-12731]
• api: Support VAULT_HTTP_PROXY environment variable to allow overriding the Vault client's HTTP proxy [GH-12582]
• auth/approle: The role/:name/secret-id-accessor/lookup endpoint now returns a 404 status code when the secret_id_accessor cannot be found [GH-12788]
• auth/approle: expose secret_id_accessor as WrappedAccessor when creating wrapped secret-id. [GH-12425]
• auth/aws: add profile support for AWS credentials when using the AWS auth method [GH-12621]
• auth/kubernetes: validate JWT against the provided role on alias look ahead operations [GH-12688]
• auth/kubernetes: Add ability to configure entity alias names based on the serviceaccount's namespace and name. #110 #112 [GH-12633]
• auth/oidc: Adds the skip_browser CLI option to allow users to skip opening the default browser during the authentication flow. [GH-12876]
• auth/okta: Send x-forwarded-for in Okta Push Factor request [GH-12320]
• auth/token: Add allowed_policies_glob and disallowed_policies_glob fields to token roles to allow glob matching of policies [GH-7277]
• cli: Operator diagnose now tests for missing or partial telemetry configurations. [GH-12802]
• cli: add new http option : -header which enable sending arbitrary headers with the cli [GH-12508]
• command: operator generate-root -decode: allow passing encoded token via stdin [GH-12881]
• core/token: Return the token_no_default_policy config on token role read if set [GH-12565]
• core: Add support for go-sockaddr templated addresses in config. [GH-9109]
• core: adds custom_metadata field for aliases [GH-12502]
• core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]
• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. [GH-12253]
• core: Upgrade github.com/gogo/protobuf [GH-12255]
• core: build with Go 1.17, and mitigate a breaking change they made that could impact how approle and ssh interpret IPs/CIDRs [GH-12868]
• core: observe the client counts broken down by namespace for partial month client count [GH-12393]
• db/cassandra: make the connect_timeout config option actually apply to connection timeouts, in addition to non-connection operations [GH-12903]
• identity/token: Only return keys from the .well-known/keys endpoint that are being used by roles to sign/verify tokens. [GH-12780]
• identity: fix issue where Cache-Control header causes stampede of requests for JWKS keys [GH-12414]
• physical/etcd: Upgrade etcd3 client to v3.5.0 and etcd2 to v2.305.0. [GH-11980]
• pki: adds signature_bits field to customize signature algorithm on CAs and certs signed by Vault [GH-11245]
• plugin: update the couchbase gocb version in the couchbase plugin [GH-12483]
• replication (enterprise): Add merkle.flushDirty.num_pages_outstanding metric which specifies number of
  outstanding dirty pages that were not flushed. [GH-2093]
• sdk/framework: The '+' wildcard is now supported for parameterizing unauthenticated paths. [GH-12668]
• secrets/aws: Add conditional template that allows custom usernames for both STS and IAM cases [GH-12185]
• secrets/azure: Adds support for rotate-root. #70 [GH-13034]
• secrets/azure: Adds support for using Microsoft Graph API since Azure Active Directory API is being removed in 2022. #67 [GH-12629]
• secrets/database: Update MSSQL dependency github.com/denisenkom/go-mssqldb to v0.11.0 and include support for contained databases in MSSQL plugin [GH-12839]
• secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]
• secrets/pki: Use entropy augmentation when available when generating root and intermediate CA key material. [GH-12559]
• secrets/pki: select appropriate signature algorithm for ECDSA signat...

v1.9.0-rc1

fix and test fix (#13050) (#13051)

v1.8.5

1.8.5

November 4, 2021

BUG FIXES:

• auth/aws: fix config/rotate-root to store new key [GH-12715]
• core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
• core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
• http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
• identity/token: Adds missing call to unlock mutex in key deletion error handling [GH-12916]
• kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
• kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
• kmip (enterprise): Forward KMIP register operations to the active node
• secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12952]
• transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

v1.7.6

1.7.6

November 4, 2021

BUG FIXES:

• auth/aws: fix config/rotate-root to store new key [GH-12715]
• core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
• core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
• core: Fix a deadlock on HA leadership transfer [GH-12691]
• http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
• kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
• kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
• kmip (enterprise): Forward KMIP register operations to the active node
• secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
• storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.